Daily Brief

Microsoft has identified that hackers are misusing OAuth applications for cryptocurrency mining and phishing attacks. OAuth, an authorization framework, is being manipulated to deploy VMs and launch phishing campaigns by compromising user accounts. The compromised accounts are used to create or alter OAuth applications, increasing permissions and hiding malicious activities. Attackers use phishing or password-spraying to target accounts with the ability to configure OAuth applications; Microsoft highlights the group Storm-1283 as an example. Once they obtain access, these adversaries may engage in activities like financial fraud reconnaissance or the distribution of phishing emails. Microsoft observed instances where attackers maintained persistence and bypassed authentication by stealing and leveraging session cookies. Microsoft suggests defenses such as enabling multi-factor authentication, conditional access policies, and regularly auditing apps and permissions to counter such security threats.

Nearly one million records containing sensitive donor information were exposed in an online database that was not secured. The database belonged to DonorView, a provider of fundraising platforms used by various non-profit entities such as schools and charities. Personal information exposed included donor names, addresses, phone numbers, emails, payment methods, and more. Children's names, medical conditions, and other sensitive details were found among the exposed data, raising severe privacy concerns. The database was secured within days after a disclosure report by security researcher Jeremiah Fowler, but there was no response from DonorView. It is unknown whether the data was accessed by unauthorized parties or how long it was exposed before being discovered. The incident highlights the risks associated with data breaches, including potential phishing attacks targeting donors using their exposed information.

Ukraine's largest telecom provider, Kyivstar, has been hit by a significant cyber attack that compromised mobile and internet service access across the country. The attack caused notable disruptions to the air raid alert network and has affected the banking sector, with efforts ongoing to restore full connectivity. Kyivstar has approximately 25 million mobile subscribers and over a million home internet customers, all potentially affected by the service outage. The company has reported the incident to law enforcement and believes the attack is linked to the ongoing war with Russia, although no customer data breach evidence has surfaced yet. Kyivstar also confirmed plans for compensation to its subscribers and corporate clients once the network is stabilized and cautioned customers about potential scams. The pro-Russia group KillNet claimed responsibility for the cyber attack on Kyivstar, amidst changes in its own leadership, with new recruitment and more attacks planned. Concurrently, Ukraine's Defence Intelligence claims to have hacked the Russian Federal Taxation Service, affecting over 2300 servers, which Russian officials vehemently deny, suggesting it is a deflection from Ukraine’s telecom troubles.

Cybersecurity has become increasingly complex, leading to difficulties in management and a potential security problem itself. Organizations now use a staggering number of security tools, averaging 50-60 for medium-sized businesses and over 130 for larger enterprises. The cybersecurity workforce shortfall in the UK has expanded to 367,000, highlighting the challenges in hiring skilled personnel. Managed Security Service Providers (MSSPs) have emerged as a solution to this complexity, offering outsourced security management as an operational cost. SecurityHQ, an established MSSP, offers an integrated security service with a variety of protections and tools, such as real-time incident response and digital forensics. A major benefit of MSSPs is their real-time insight into evolving criminal techniques, like ransomware attacks, which often stem from credential compromise. Advanced analytics and incident management platforms used by MSSPs enable a proactive approach to threat detection and response. Despite advances in AI for security, human SOC analysts continue to play a crucial role in interpreting anomalies and understanding network risks.

A report from the Observer Research Foundation defines notorious cyber groups like Lazarus and firms like NSO Group as 'cyber mercenaries.' Cyber mercenaries are seen as actors who are financially motivated and offer their hacking services to states, providing them with plausible deniability. The report emphasizes that these groups are not just criminals, but part of a growing sector that states use to enhance their cyber offensive capabilities affordably. It argues that hiring cyber mercenaries is cost-effective for nations, as it eliminates the need for HR and training associated with in-house cyber-ops teams. The report calls for international legislation to ensure that intelligence and digital forensic tools comply with human rights obligations. Peaceful nations sometimes exploit legislative loopholes to shelter cyber mercenary operations that could potentially misuse or leak sensitive information. In the case of the infamous Pegasus malware by NSO Group, its use has been left unregulated by the EU, leading to its deployment against a broad spectrum of targets by member states. The Observer Research Foundation's report concludes with a call for citizen demand for accountability from governments and corporations employing cyber mercenaries and notes the role of civil society in legal challenges for greater transparency.

Microsoft's final Patch Tuesday for 2023 addressed 33 software vulnerabilities, with 4 rated Critical and 29 deemed Important. The company has patched over 900 flaws throughout the year, reflecting a busy period for their cybersecurity efforts. Among the fixes were CVE-2023-36019, which prevented the execution of malicious scripts via crafted URLs in victims' browsers. Added security measures were implemented for Dynamic Host Configuration Protocol (DHCP) servers to prevent denial-of-service and information disclosure. A report by Akamai highlighted new attacks against Active Directory domains via Microsoft DHCP servers, capable of leading to full domain compromises. Microsoft suggests disabling DHCP DNS Dynamic Updates when unnecessary and avoiding DNSUpdateProxy to mitigate certain risks. Other vendors have also issued security updates for various vulnerabilities since the beginning of the month.

Apple released patches for two critical WebKit vulnerabilities that may have been exploited in malicious activities. Microsoft patched over 30 flaws in their final 2023 update, including critical remote code execution and spoofing vulnerabilities, with one spoofing bug affecting Microsoft Power Platform and Azure Logic Apps, rated at CVSS 9.6. Adobe's substantial update addressed 212 vulnerabilities, with 185 cross-site scripting flaws found in Experience Manager allowing for arbitrary code execution and security feature bypass. Google updated Android to fix 85 vulnerabilities, three of which were Qualcomm component flaws under targeted exploitation. SAP released critical patches for an escalation of privilege vulnerability in its Business Technology Platform, signifying its severity with a separate blog post. Atlassian, Cisco, and Apache Struts all disclosed high-severity vulnerabilities, with Cisco investigating potential impacts on its products from a disclosed Apache Struts remote code execution vulnerability. VMware and FortiGuard addressed a moderate-level privilege escalation flaw and a high-severity code execution vulnerability, respectively, rounding off the significant industry-wide patch rollout.

Threat actors are misusing Microsoft OAuth applications to automate phishing, execute BEC attacks, and deploy cryptomining VMs. OAuth, crucial for secure access to server resources, is being targeted due to user accounts with inadequate protection, such as lack of multi-factor authentication. Compromised accounts with permission to modify OAuth apps are used to grant high privileges to malicious applications, ensuring attackers' persistent access. Attackers leverage these apps for various malicious activities; financial damages reported between $10,000 to $1.5 million. Microsoft tracked and dismantled a campaign with 17,000 malicious OAuth apps that sent over 927,000 phishing emails. Threat actors also executed password-spraying to compromise accounts, aiding in persistent spam campaigns. Microsoft recommends enforcing MFA and conditional access policies, among other security measures, to protect against these types of cyber attacks.

The Ukrainian military intelligence service asserts that it has successfully hacked the Russian Federal Taxation Service (FNS), erasing the agency's central database and backups. The cyberattack reportedly spread malware across both the central servers operated by the FNS and 2,300 regional servers, including those in occupied Ukrainian territories. This offensive compromised a Russian IT firm that services the FNS, leading to a loss of essential configuration files and causing a severe system collapse. The GUR (Main Directorate of Intelligence of Ukraine) suggests that the tax system outage in Russia might last for a month or more, with full recovery unlikely. Official Ukrainian claims of cyber operations emphasize the increasing use of cyber warfare in the conflict, marking this as the second publicized attack following a previous breach of Russia's Federal Air Transport Agency. On the Ukrainian side, Kyivstar, the country's largest telecom provider, experienced a significant cyberattack, affecting 25 million subscribers and disrupting internet, air raid alerts, and banking services.

Miklos Daniel Brody, a former First Republic Bank cloud engineer, was sentenced to two years in prison for intentionally damaging the bank's computer network, violating the Computer Fraud and Abuse Act. Brody caused over $220,000 in damages and was ordered to pay $529,266.37 in restitution, in addition to serving a three-year supervised release post-imprisonment. Fired for company policy violation on March 11, 2020, Brody later used unauthorized access to deploy malware and delete critical data from the bank's systems. Brody's post-termination activities included impersonating a colleague, damaging IT infrastructure, and emailing proprietary code to himself. The bank faced significant disruption, including locked-out users and deleted code repositories, with damages exceeding $220,000. Following his dismissal, Brody made several false claims, including a falsified police report stating his company laptop was stolen, and lied to US Secret Service agents. The incident highlights the critical importance of timely revocation of employee access upon termination to prevent retaliation and secure company assets.

Microsoft's December 2023 Patch Tuesday addressed 34 security issues, among which was a previously disclosed but unpatched AMD CPU zero-day vulnerability. Despite identifying eight remote code execution (RCE) bugs, only three received a critical rating from Microsoft. The patch included fixes for four critical flaws, impacting Power Platform, Internet Connection Sharing, and the Windows MSHTML Platform. The zero-day vulnerability, identified as 'CVE-2023-20588 AMD: CVE-2023-20588 AMD Speculative Leaks,' is a division-by-zero error in selected AMD processors posing a risk of leaking sensitive data. AMD's stance on the zero-day was to advise adherence to software development best practices, deeming the threat low due to the need for local access to exploit it. Alongside Microsoft's updates, other companies have also issued updates or advisories for December 2023. In-depth details of each resolved vulnerability from the December Patch Tuesday update are accessible for review in the full report.

Electronic Health Records (EHRs) are a highly valued commodity on the dark web, fetching up to $1,000 each due to the irrevocability of personal data. The healthcare sector has faced the highest average costs per breach for 12 years, with figures exceeding $10 million, outstripping the financial industry's average cost. There has been more than a threefold increase in reported hacking or IT incidents in the healthcare sector to the US Department Health & Human Services from 2018 to 2022. Ransomware attacks leverage the essential nature of healthcare services, with the industry's expanding use of digital systems making it an attractive target. Healthcare organizations must adopt an attacker's mindset to protect sensitive data, focusing on asset inventory and monitoring their attack surface. The leaking of 10 million secrets on GitHub in 2022 points to the widespread issue of exposed credentials, which can lead to significant security breaches in healthcare systems. Continuous vigilance and proactive measures such as GitHub attack surface audits and the integration of honeytokens are recommended to improve cybersecurity postures. As the sector continues to digitally evolve, maintaining robust cybersecurity practices and fostering a culture of security awareness are crucial for safeguarding patient data.

Air National Guardsman, Airman 1st Class Jack Teixeira, leaked top-secret US military documents on a Discord server, leading to an Air Force investigation. Despite clear warning signs, Teixeira's chain of command failed to take adequate action, with incidents occurring as early as February 2022. Teixeira had access to the Top Secret-Sensitive Compartmented Information (TS-SCI) platform through his role in the 102nd Intelligence Wing. Multiple incidents where Teixeira displayed suspicious behavior were either not documented properly or not reported to security officials. Leadership failures and systemic issues within the unit, such as inadequate supervision and lack of permissions controls, contributed to the security oversight. 15 Air National Guard leaders have faced disciplinary action, with some being permanently removed from their positions; reforms have been instituted to prevent future breaches.

Sophos has backported a security update to fix the actively exploited vulnerability CVE-2022-3236 in end-of-life firewall firmware versions. The remote code execution flaw exists in the User Portal and Webadmin of Sophos Firewall, initially addressed in September 2022 for current versions. Over 4,000 internet-visible appliances were still vulnerable in January 2023 due to running outdated firmware not automatically receiving updates. Hackers targeted these unsupported and unpatched devices, prompting Sophos to release a backported patch in December 2023 for certain EOL firmware versions. Sophos automatically applied the patch to 99% of affected organizations with the "accept hotfix" option enabled. Organizations with disabled auto-update features are advised to manually apply the hotfix or upgrade to newer firewall versions. Where upgrades are not possible, limiting WAN access to the User Portal and Webadmin and using VPN or Sophos Central for management is recommended.

Ukraine's leading mobile operator Kyivstar has sustained a cyberattack impacting its mobile and internet services for over 25 million subscribers. The company's official website went offline; however, Kyivstar kept subscribers updated on the situation via social media. The Security Service of Ukraine (SSU) is conducting an investigation into the matter, which has led to criminal proceedings under various articles of the Ukrainian criminal code. NetBlocks confirmed a significant drop in Kyivstar's internet traffic following the attack, indicating a loss of service. Kyivstar has reassured customers that no personal data was compromised and promises compensation for the inconvenience. The incident is suspected to be the work of Russian hackers due to the ongoing conflict, though no confirmation has been made. Alternative mobile services are being offered by Vodafone Ukraine, and free internal roaming allows users to connect to other networks during outages. The Ukrainian Interior Minister has ensured that emergency services remain reachable, and individuals can contact relatives through local police or fire stations during the outage.